Stephen John Smoogen wrote:
> Vijay S Sarvepalli VSSARVEP wrote:
>>> Anybody care to share their concerns on UDP fragments across their
>> perimeter? It seems like there is no
>> valid traffic that needs it. eMule ? I am not sure if there are only
>> P2P use it.
>>>>>> My normal mode of activity is to drop UDP and ICMP fragments at any
> border where I am going to use detection tools to examine traffic.
> Fragmented UDP and ICMP are normally used to evade various tools and in
> legitimate traffic a sign of something broken.
>>any tools worth their salt will reassemble packets *before* examining
the contents and will flag overlapping fragments. I don't see this as a
valid argument for dropping UDP fragments. Our fireall (OpenBSD's pf)
actually does the reassembly at the border which is another way of
dealing with the issue.
Russell.